Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tales from the wrong end - life as an open-source maintainer

Tales from the wrong end - life as an open-source maintainer

I'm the maintainer of a *very* popular open-source PHP package - PHPMailer. In December 2016, two critical remote code execution vulnerabilities were found in PHPMailer, affecting potentially tens of millions of sites. There's a lot that goes on behind a CVE number - I'd been involved in reporting some minor security issues in the past, but nothing of this magnitude, and never at the receiving end, so I found myself at the start of a steep learning curve and an emotional roller-coaster. This is the story of how I ended up as the maintainer of a major open-source project, dealing with the project, vulnerabilities, contributions, donations and more.

I gave this talk at ConFoo Montreal 2018, though I have also given it at the Dutch PHP conference 2017 and PHP Benelux 2018, where it was very well received:


Marcus Bointon

March 09, 2018

More Decks by Marcus Bointon

Other Decks in Technology


  1. Marcus Bointon @SynchroM joind.in/talk/61f6a Once upon a time…

  2. Tales from the wrong end Marcus Bointon @SynchroM Technical director,

    Synchromedia Limited & Smartmessages.net Maintainer of PHPMailer
  3. Marcus Bointon @SynchroM joind.in/talk/61f6a What’s PHPMailer? • Email creation and

    sending class for PHP • Constructs RFC822 messages • text + HTML multiparts, attachments, headers, etc • Sends using PHP mail() function or SMTP • Authentication • SMTPS / SMTP+STARTTLS • No dependencies
  4. Marcus Bointon @SynchroM joind.in/talk/61f6a PHPMailer Popularity

  5. Marcus Bointon @SynchroM joind.in/talk/61f6a How did I end up here?

    2001 2010 2008 Synchro 2013 PHPMailer
  6. Marcus Bointon @SynchroM joind.in/talk/61f6a Responsible disclosure • Someone finds a

    vulnerability • Reports it to vendor / maintainer • Vendor develops mitigation / patch • Typically 90 days allowed • Patch released • Vulnerability disclosed
  7. Marcus Bointon @SynchroM joind.in/talk/61f6a CVE Numbers • Common Vulnerabilities and

    Exposures • Provides a common reference for any vulnerability • Operated by Mitre Corp, funded by US gov (DHS) • https://cve.mitre.org • https://nvd.nist.gov/vuln/search • PHPMailer’s issues assigned numbers
 CVE-2016-10033, CVE-2016-10045
  8. Marcus Bointon @SynchroM joind.in/talk/61f6a Type & Severity • Part of

    a CVE report • Common types: Remote Code Execution (“RCE”), SQL injection, XSS, Denial of Service (“DoS”) • Severity rating via the CVSS numeric scoring system, and/or a critical/high/medium/low rating • PHPMailer’s two CVEs were rated 9.8/Critical
  9. Marcus Bointon @SynchroM joind.in/talk/61f6a What was the issue? <?php namespace

    PHPMailer\PHPMailer; require 'src/PHPMailer.php'; $mail = new PHPMailer; $mailSubject = 'test'; $mailsetFrom($_POST['email']); $mailaddAddress('noddy@example.com'); $mailBody = '<strong>hello</strong>'; $mailsend();
  10. Marcus Bointon @SynchroM joind.in/talk/61f6a CVE-2016-10033 • $params = sprintf('-f%s', $thisSender);

    • An attack string can be a valid email address! So we escape it, right? • $params = sprintf('-f%s', escapeshellarg($thisSender)); • At this point someone posted an exploit! • We had become a zero-day vuln • Rushed out a release as PHPMailer 5.2.18 • …also known as CVE-2016-10045!
  11. Marcus Bointon @SynchroM joind.in/talk/61f6a CVE-2016-10045 • We think we are

    doing this: • $mailcommand . escapeshellarg($param) • But mail() applies escapeshellcmd() internally! • escapeshellcmd($command . escapeshellarg($param)) • and the result of this is undefined and exploitable! • Workaround released in PHPMailer 5.2.20 • This is fundamentally a PHP bug
  12. Marcus Bointon @SynchroM joind.in/talk/61f6a Getting help • The security researcher

    that reported the problem was very helpful • Reviewed and verified mitigations • Other researchers turned up to help • Not the usual contributors
  13. Marcus Bointon @SynchroM joind.in/talk/61f6a Press & exposure • This was

    quite a big deal – affected Wordpress, Joomla, Drupal etc, millions of sites • Articles in Securityweek, Naked security, Hacker news, The Register, Reddit, SANS newsletter • Often misreported as input validation error • The usual PHP abuse, but comments on handling the vuln were generally positive • No personal abuse at all - no media contact either
  14. Marcus Bointon @SynchroM joind.in/talk/61f6a Post-mortem • How had other PHP

    email libs fixed this? • They hadn’t! • Zend_Mail, SwiftMailer, RoundCube all vulnerable • Similar bugs in Python, Ruby, NodeJS libs • Researcher wrote a long article about the general vulnerability of PHP’s mail() function
  15. Marcus Bointon @SynchroM joind.in/talk/61f6a Lessons learned • Don’t use mail()

    • Open source is awesome! • When it matters, people will help • It’s not all left to you • Security researchers and whistleblowers need effective legal protection as a matter of national policy
  16. Marcus Bointon @SynchroM joind.in/talk/61f6a Why be a maintainer? Hi Marcus,

    I’ve been digging around PHPMailer GitHub issues a fair amount lately, and just wanted to say that I admire your diligence, patience, and sense of humor responding to a variety of comments from people of different competencies. Your broken light bulb analogy made me laugh out loud. The internet needs more people like you, sir. Cheers!
  17. Marcus Bointon @SynchroM joind.in/talk/61f6a Donations? • Time, Effort, Enthusiasm •

    Beyond code - Support, coordination, documentation • Differentiate between project and personal • Paypal, Patreon • Make it easy!
  18. Marcus Bointon @SynchroM joind.in/talk/61f6a Thank you to… • Dawid Golunski

    of legalhackers.com @dawid_golunski • Those who commented, submitted patches, reviewed code • All those users who provide feedback and bug reports every day • To every open-source project
  19. Marcus Bointon @SynchroM joind.in/talk/61f6a — Richard Feynman “I would rather

    have questions that can't be answered than answers that can't be questioned” Questions
  20. Marcus Bointon @SynchroM joind.in/talk/61f6a Marcus Bointon marcus@synchromedia.co.uk @SynchroM Synchro on

    GitHub & Stack Exchange Feedback please! joind.in/talk/61f6a Thank you!
  21. None